Add google_project_iam_binding resource.

Add a resource that manages just a single binding within a Google project's IAM Policy. Note that this resource should not be used when google_project_iam_policy is used, or they will fight over which is correct. This also required wrapping the error returned from setProjectIamPolicy, as we need to test to see if it's a 409 error and retry, which can't be done if we just use fmt.Errorf.
2024-07-03 08:42:39 +00:00 · 2017-07-03 19:01:08 -07:00 · 2017-07-03 19:01:08 -07:00 · 8e704876bc
commit 8e704876bc
parent c48ef17ed7
4 changed files with 497 additions and 1 deletions
--- a/google/provider.go
+++ b/google/provider.go
@ -6,6 +6,7 @@ import (
 	"log"
 	"strings"

+	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/terraform/helper/mutexkv"
 	"github.com/hashicorp/terraform/helper/schema"
 	"github.com/hashicorp/terraform/terraform"
@ -106,6 +107,7 @@ func Provider() terraform.ResourceProvider {
 			"google_sql_user":                       resourceSqlUser(),
 			"google_project":                        resourceGoogleProject(),
 			"google_project_iam_policy":             resourceGoogleProjectIamPolicy(),
+			"google_project_iam_binding":            resourceGoogleProjectIamBinding(),
 			"google_project_services":               resourceGoogleProjectServices(),
 			"google_pubsub_topic":                   resourcePubsubTopic(),
 			"google_pubsub_subscription":            resourcePubsubSubscription(),
@ -279,6 +281,18 @@ func handleNotFoundError(err error, d *schema.ResourceData, resource string) err
 	return fmt.Errorf("Error reading %s: %s", resource, err)
 }

+func isConflictError(err error) bool {
+	if e, ok := err.(*googleapi.Error); ok && e.Code == 409 {
+		return true
+	} else if !ok && errwrap.ContainsType(err, &googleapi.Error{}) {
+		e := errwrap.GetType(err, &googleapi.Error{}).(*googleapi.Error)
+		if e.Code == 409 {
+			return true
+		}
+	}
+	return false
+}
+
 func linkDiffSuppress(k, old, new string, d *schema.ResourceData) bool {
 	parts := strings.Split(old, "/")
 	if parts[len(parts)-1] == new {
--- a/google/resource_google_project_iam_binding.go
+++ b/google/resource_google_project_iam_binding.go
@ -0,0 +1,244 @@
+package google
+
+import (
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/hashicorp/terraform/helper/schema"
+	"google.golang.org/api/cloudresourcemanager/v1"
+)
+
+func resourceGoogleProjectIamBinding() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceGoogleProjectIamBindingCreate,
+		Read:   resourceGoogleProjectIamBindingRead,
+		Update: resourceGoogleProjectIamBindingUpdate,
+		Delete: resourceGoogleProjectIamBindingDelete,
+
+		Schema: map[string]*schema.Schema{
+			"project": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+			},
+			"role": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"members": &schema.Schema{
+				Type:     schema.TypeSet,
+				Required: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			"etag": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func resourceGoogleProjectIamBindingCreate(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+	pid, err := getProject(d, config)
+	if err != nil {
+		return err
+	}
+
+	// Get the binding in the template
+	log.Println("[DEBUG]: Reading google_project_iam_binding")
+	p := getResourceIamBinding(d)
+	mutexKV.Lock(projectIamBindingMutexKey(pid, p.Role))
+	defer mutexKV.Unlock(projectIamBindingMutexKey(pid, p.Role))
+
+	for {
+		backoff := time.Second
+		// Get the existing bindings
+		log.Println("[DEBUG]: Retrieving policy for project", pid)
+		ep, err := getProjectIamPolicy(pid, config)
+		if err != nil {
+			return err
+		}
+		log.Printf("[DEBUG]: Retrieved policy for project %q: %+v\n", pid, ep)
+
+		// Merge the bindings together
+		ep.Bindings = mergeBindings(append(ep.Bindings, p))
+		log.Printf("[DEBUG]: Setting policy for project %q to %+v\n", pid, ep)
+		err = setProjectIamPolicy(ep, config, pid)
+		if err != nil && isConflictError(err) {
+			log.Printf("[DEBUG]: Concurrent policy changes, restarting read-modify-write after %s\n", backoff)
+			time.Sleep(backoff)
+			backoff = backoff * 2
+			if backoff > 30*time.Second {
+				return fmt.Errorf("Error applying IAM policy to project %q: too many concurrent policy changes.\n")
+			}
+			continue
+		} else if err != nil {
+			return fmt.Errorf("Error applying IAM policy to project: %v", err)
+		}
+		break
+	}
+	log.Printf("[DEBUG]: Set policy for project %q", pid)
+	d.SetId(pid + ":" + p.Role)
+	return resourceGoogleProjectIamBindingRead(d, meta)
+}
+
+func resourceGoogleProjectIamBindingRead(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+	pid, err := getProject(d, config)
+	if err != nil {
+		return err
+	}
+
+	eBinding := getResourceIamBinding(d)
+
+	log.Println("[DEBUG]: Retrieving policy for project", pid)
+	p, err := getProjectIamPolicy(pid, config)
+	if err != nil {
+		return err
+	}
+	log.Printf("[DEBUG]: Retrieved policy for project %q: %+v\n", pid, p)
+
+	var binding *cloudresourcemanager.Binding
+	for _, b := range p.Bindings {
+		if b.Role != eBinding.Role {
+			continue
+		}
+		binding = b
+		break
+	}
+	if binding == nil {
+		return fmt.Errorf("No binding for role %q in project %q", eBinding.Role, pid)
+	}
+	d.Set("etag", p.Etag)
+	d.Set("members", binding.Members)
+	d.Set("role", binding.Role)
+	return nil
+}
+
+func resourceGoogleProjectIamBindingUpdate(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+	pid, err := getProject(d, config)
+	if err != nil {
+		return err
+	}
+
+	binding := getResourceIamBinding(d)
+	mutexKV.Lock(projectIamBindingMutexKey(pid, binding.Role))
+	defer mutexKV.Unlock(projectIamBindingMutexKey(pid, binding.Role))
+
+	for {
+		backoff := time.Second
+		log.Println("[DEBUG]: Retrieving policy for project", pid)
+		p, err := getProjectIamPolicy(pid, config)
+		if err != nil {
+			return err
+		}
+		log.Printf("[DEBUG]: Retrieved policy for project %q: %+v\n", pid, p)
+
+		var found bool
+		for pos, b := range p.Bindings {
+			if b.Role != binding.Role {
+				continue
+			}
+			found = true
+			p.Bindings[pos] = binding
+			break
+		}
+		if !found {
+			p.Bindings = append(p.Bindings, binding)
+		}
+
+		log.Printf("[DEBUG]: Setting policy for project %q to %+v\n", pid, p)
+		err = setProjectIamPolicy(p, config, pid)
+		if err != nil && isConflictError(err) {
+			log.Printf("[DEBUG]: Concurrent policy changes, restarting read-modify-write after %s\n", backoff)
+			time.Sleep(backoff)
+			backoff = backoff * 2
+			if backoff > 30*time.Second {
+				return fmt.Errorf("Error applying IAM policy to project %q: too many concurrent policy changes.\n")
+			}
+			continue
+		} else if err != nil {
+			return fmt.Errorf("Error applying IAM policy to project: %v", err)
+		}
+		break
+	}
+	log.Printf("[DEBUG]: Set policy for project %q\n", pid)
+
+	return resourceGoogleProjectIamPolicyRead(d, meta)
+}
+
+func resourceGoogleProjectIamBindingDelete(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+	pid, err := getProject(d, config)
+	if err != nil {
+		return err
+	}
+
+	binding := getResourceIamBinding(d)
+	mutexKV.Lock(projectIamBindingMutexKey(pid, binding.Role))
+	defer mutexKV.Unlock(projectIamBindingMutexKey(pid, binding.Role))
+
+	for {
+		backoff := time.Second
+		log.Println("[DEBUG]: Retrieving policy for project", pid)
+		p, err := getProjectIamPolicy(pid, config)
+		if err != nil {
+			return err
+		}
+		log.Printf("[DEBUG]: Retrieved policy for project %q: %+v\n", pid, p)
+
+		toRemove := -1
+		for pos, b := range p.Bindings {
+			if b.Role != binding.Role {
+				continue
+			}
+			toRemove = pos
+			break
+		}
+		if toRemove < 0 {
+			return resourceGoogleProjectIamPolicyRead(d, meta)
+		}
+
+		p.Bindings = append(p.Bindings[:toRemove], p.Bindings[toRemove+1:]...)
+
+		log.Printf("[DEBUG]: Setting policy for project %q to %+v\n", pid, p)
+		err = setProjectIamPolicy(p, config, pid)
+		if err != nil && isConflictError(err) {
+			log.Printf("[DEBUG]: Concurrent policy changes, restarting read-modify-write after %s\n", backoff)
+			time.Sleep(backoff)
+			backoff = backoff * 2
+			if backoff > 30*time.Second {
+				return fmt.Errorf("Error applying IAM policy to project %q: too many concurrent policy changes.\n")
+			}
+			continue
+		} else if err != nil {
+			return fmt.Errorf("Error applying IAM policy to project: %v", err)
+		}
+		break
+	}
+	log.Printf("[DEBUG]: Set policy for project %q\n", pid)
+
+	return resourceGoogleProjectIamPolicyRead(d, meta)
+}
+
+// Get a cloudresourcemanager.Binding from a schema.ResourceData
+func getResourceIamBinding(d *schema.ResourceData) *cloudresourcemanager.Binding {
+	members := d.Get("members").(*schema.Set).List()
+	m := make([]string, 0, len(members))
+	for _, member := range members {
+		m = append(m, member.(string))
+	}
+	return &cloudresourcemanager.Binding{
+		Members: m,
+		Role:    d.Get("role").(string),
+	}
+}
+
+func projectIamBindingMutexKey(pid, role string) string {
+	return fmt.Sprintf("google-project-iam-binding-%s-%s", pid, role)
+}
--- a/google/resource_google_project_iam_binding_test.go
+++ b/google/resource_google_project_iam_binding_test.go
@ -0,0 +1,237 @@
+package google
+
+import (
+	"fmt"
+	"sort"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/acctest"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+	"google.golang.org/api/cloudresourcemanager/v1"
+)
+
+// Test that an IAM binding can be applied to a project
+func TestAccGoogleProjectIamBinding_basic(t *testing.T) {
+	pid := "terraform-" + acctest.RandString(10)
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			// Create a new project
+			resource.TestStep{
+				Config: testAccGoogleProject_create(pid, pname, org),
+				Check: resource.ComposeTestCheckFunc(
+					testAccGoogleProjectExistingPolicy(pid),
+				),
+			},
+			// Apply an IAM binding
+			resource.TestStep{
+				Config: testAccGoogleProjectAssociateBindingBasic(pid, pname, org),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleProjectIamBindingExists("google_project_iam_binding.acceptance", &cloudresourcemanager.Binding{
+						Role:    "roles/compute.instanceAdmin",
+						Members: []string{"user:admin@hashicorptest.com"},
+					}, pid),
+				),
+			},
+		},
+	})
+}
+
+// Test that multiple IAM bindings can be applied to a project
+func TestAccGoogleProjectIamBinding_multiple(t *testing.T) {
+	pid := "terraform-" + acctest.RandString(10)
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			// Create a new project
+			resource.TestStep{
+				Config: testAccGoogleProject_create(pid, pname, org),
+				Check: resource.ComposeTestCheckFunc(
+					testAccGoogleProjectExistingPolicy(pid),
+				),
+			},
+			// Apply an IAM binding
+			resource.TestStep{
+				Config: testAccGoogleProjectAssociateBindingBasic(pid, pname, org),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleProjectIamBindingExists("google_project_iam_binding.acceptance", &cloudresourcemanager.Binding{
+						Role:    "roles/compute.instanceAdmin",
+						Members: []string{"user:admin@hashicorptest.com"},
+					}, pid),
+				),
+			},
+			// Apply another IAM binding
+			resource.TestStep{
+				Config: testAccGoogleProjectAssociateBindingMultiple(pid, pname, org),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleProjectIamBindingExists("google_project_iam_binding.multiple", &cloudresourcemanager.Binding{
+						Role:    "roles/viewer",
+						Members: []string{"user:paddy@hashicorp.com"},
+					}, pid),
+				),
+			},
+		},
+	})
+}
+
+// Test that an IAM binding can be updated once applied to a project
+func TestAccGoogleProjectIamBinding_update(t *testing.T) {
+	pid := "terraform-" + acctest.RandString(10)
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			// Create a new project
+			resource.TestStep{
+				Config: testAccGoogleProject_create(pid, pname, org),
+				Check: resource.ComposeTestCheckFunc(
+					testAccGoogleProjectExistingPolicy(pid),
+				),
+			},
+			// Apply an IAM binding
+			resource.TestStep{
+				Config: testAccGoogleProjectAssociateBindingBasic(pid, pname, org),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleProjectIamBindingExists("google_project_iam_binding.acceptance", &cloudresourcemanager.Binding{
+						Role:    "roles/compute.instanceAdmin",
+						Members: []string{"user:admin@hashicorptest.com"},
+					}, pid),
+				),
+			},
+			// Apply an updated IAM binding
+			resource.TestStep{
+				Config: testAccGoogleProjectAssociateBindingUpdated(pid, pname, org),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleProjectIamBindingExists("google_project_iam_binding.updated", &cloudresourcemanager.Binding{
+						Role:    "roles/compute.instanceAdmin",
+						Members: []string{"user:admin@hashicorptest.com", "user:paddy@hashicorp.com"},
+					}, pid),
+				),
+			},
+		},
+	})
+}
+
+// Test that an IAM binding can be removed from a project
+func TestAccGoogleProjectIamBinding_remove(t *testing.T) {
+	pid := "terraform-" + acctest.RandString(10)
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			// Create a new project
+			resource.TestStep{
+				Config: testAccGoogleProject_create(pid, pname, org),
+				Check: resource.ComposeTestCheckFunc(
+					testAccGoogleProjectExistingPolicy(pid),
+				),
+			},
+			// Apply multiple IAM bindings
+			resource.TestStep{
+				Config: testAccGoogleProjectAssociateBindingMultiple(pid, pname, org),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleProjectIamBindingExists("google_project_iam_binding.multiple", &cloudresourcemanager.Binding{
+						Role:    "roles/viewer",
+						Members: []string{"user:paddy@hashicorp.com"},
+					}, pid),
+					testAccCheckGoogleProjectIamBindingExists("google_project_iam_binding.acceptance", &cloudresourcemanager.Binding{
+						Role:    "roles/compute.instanceAdmin",
+						Members: []string{"user:admin@hashicorptest.com"},
+					}, pid),
+				),
+			},
+			// Remove the bindings
+			resource.TestStep{
+				Config: testAccGoogleProject_create(pid, pname, org),
+				Check: resource.ComposeTestCheckFunc(
+					testAccGoogleProjectExistingPolicy(pid),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckGoogleProjectIamBindingExists(key string, expected *cloudresourcemanager.Binding, pid string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		config := testAccProvider.Meta().(*Config)
+		projectPolicy, err := getProjectIamPolicy(pid, config)
+		if err != nil {
+			return fmt.Errorf("Failed to retrieve IAM policy for project %q: %s", pid, err)
+		}
+
+		var result *cloudresourcemanager.Binding
+		for _, binding := range projectPolicy.Bindings {
+			if binding.Role == expected.Role {
+				result = binding
+				break
+			}
+		}
+		if result == nil {
+			return fmt.Errorf("IAM policy for project %q had no role %q", pid, expected.Role)
+		}
+		if len(result.Members) != len(expected.Members) {
+			return fmt.Errorf("Got %v as members for role %q of project %q, expected %v", result.Members, expected.Role, pid, expected.Members)
+		}
+		sort.Strings(result.Members)
+		sort.Strings(expected.Members)
+		for pos, exp := range expected.Members {
+			if result.Members[pos] != exp {
+				return fmt.Errorf("Expected members for role %q of project %q to be %v, got %v", expected.Role, pid, expected.Members, result.Members)
+			}
+		}
+		return nil
+	}
+}
+
+func testAccGoogleProjectAssociateBindingBasic(pid, name, org string) string {
+	return fmt.Sprintf(`
+resource "google_project" "acceptance" {
+    project_id = "%s"
+    name = "%s"
+    org_id = "%s"
+}
+resource "google_project_iam_binding" "acceptance" {
+    project = "${google_project.acceptance.id}"
+    members = ["user:admin@hashicorptest.com"]
+    role = "roles/compute.instanceAdmin"
+}
+`, pid, name, org)
+}
+
+func testAccGoogleProjectAssociateBindingMultiple(pid, name, org string) string {
+	return fmt.Sprintf(`
+resource "google_project" "acceptance" {
+    project_id = "%s"
+    name = "%s"
+    org_id = "%s"
+}
+resource "google_project_iam_binding" "acceptance" {
+    project = "${google_project.acceptance.id}"
+    members = ["user:admin@hashicorptest.com"]
+    role = "roles/compute.instanceAdmin"
+}
+resource "google_project_iam_binding" "multiple" {
+    project = "${google_project.acceptance.id}"
+    members = ["user:paddy@hashicorp.com"]
+    role = "roles/viewer"
+}
+`, pid, name, org)
+}
+
+func testAccGoogleProjectAssociateBindingUpdated(pid, name, org string) string {
+	return fmt.Sprintf(`
+resource "google_project" "acceptance" {
+    project_id = "%s"
+    name = "%s"
+    org_id = "%s"
+}
+resource "google_project_iam_binding" "acceptance" {
+    project = "${google_project.acceptance.id}"
+    members = ["user:admin@hashicorptest.com", "user:paddy@hashicorp.com"]
+    role = "roles/compute.instanceAdmin"
+}
+`, pid, name, org)
+}
--- a/google/resource_google_project_iam_policy.go
+++ b/google/resource_google_project_iam_policy.go
@ -6,6 +6,7 @@ import (
 	"log"
 	"sort"

+	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/terraform/helper/schema"
 	"google.golang.org/api/cloudresourcemanager/v1"
 )
@ -257,7 +258,7 @@ func setProjectIamPolicy(policy *cloudresourcemanager.Policy, config *Config, pi
 		&cloudresourcemanager.SetIamPolicyRequest{Policy: policy}).Do()

 	if err != nil {
-		return fmt.Errorf("Error applying IAM policy for project %q. Policy is %#v, error is %s", pid, policy, err)
+		return errwrap.Wrap(fmt.Errorf("Error applying IAM policy for project %q. Policy is %#v, error is {{err}}", pid, policy), err)
 	}
 	return nil
 }